3 回答
- 最新
- 投票最多
- 评论最多
0
Hi
- Here is the below Example you can define a condition key that checks for the presence of specific tags on the resource being created
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:*",
"athena:*",
"lambda:*"
],
"Resource": [
"arn:aws:glue:*:*:glue:table", // resource for Glue
"arn:aws:athena:*:*:workgroup", // resource for Athena
"arn:aws:lambda:*:*:function" // resource for Lambda
],
"Condition": {
"StringLike": {
"aws:resourceTag/tagName1": "value1",
"aws:resourceTag/tagName2": "value2"
}
}
}
]
}
- AWS Resource tagging - https://aws.amazon.com/blogs/aws/resource-groups-and-tagging/
0
Hello Marcelo,
As far as I know, there are no native solutions that can automate the tagging based on user, but you can enforce tagging in your environment as described here.
With that said, AWS provides building blocks that you can use to tag the resources automatically as described here and here
Let me know if this helps.
Best regards, Mukul Dharwadkar
Thanks! I'll check the links
0
There is another way to look at it. How about if you set a permission boundary or Service Control Policy(SCP), which restricts user to create resources if not appropriately tagged.
Refer following blog and re:Post Knowledge Center Article:
- https://repost.aws/knowledge-center/organizations-scp-tag-policies
- https://aws.amazon.com/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/#:~:text=When%20a%20tag%20policy%20is,that%20supports%20tag%20policy%20enforcement.
Comment here if you have additional questions. Happy to help.
Abhishek
Thanks, i'll try that
To expand on that policy piece, if you were to provide that external user access to a IAM role in your AWS account with such a tag-based policy attached, then they would not be able to create/view or edit any resources that did not have those tags that you defined. Thus the user will be mandated to create resources with those specified tags, achieving your end goal :)